Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    02/04/2024, 13:34

General

  • Target

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe

  • Size

    7.0MB

  • MD5

    6b47add2cf208a988c57c8f00461de0b

  • SHA1

    cf9518f4bd3cf94ab7225423e4365f4a262a9c61

  • SHA256

    b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07

  • SHA512

    e2f5eb2e82ab1951e0bfe0994219ed676a71ccb9804be7ebbea42d9ad9596922c16600a101caccbbfd161b98fcc2d7b3e9591afb66e1878627f6cee0918b6a35

  • SSDEEP

    196608:oA+bmZgkjTKD4C4+e4YcJE4AcnPmP99j+zE/k:oAEGZjTvC4EtAcPmPJ/

Score
10/10

Malware Config

Extracted

Family

xworm

C2

210.246.215.82:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    WindowsNT.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Drops file in Drivers directory 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 19 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe
    "C:\Users\Admin\AppData\Local\Temp\b9503635ef25a584476f71aa4a010b3978ee04e8a956e810b71b05bbef32bb07.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Users\Admin\AppData\Roaming\XClient.exe
      "C:\Users\Admin\AppData\Roaming\XClient.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3008
    • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
      "C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe"
      2⤵
      • Drops file in Drivers directory
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:2340
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2844
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:2416
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:1000
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop xboxgip
        3⤵
        • Executes dropped EXE
        PID:1960
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblAuthManager
        3⤵
        • Executes dropped EXE
        PID:776
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XblGameSave
        3⤵
        • Executes dropped EXE
        PID:2276
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxNetApiSvc
        3⤵
        • Executes dropped EXE
        PID:1452
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete XboxGipSvc
        3⤵
        • Executes dropped EXE
        PID:2220
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete xboxgip
        3⤵
        • Executes dropped EXE
        PID:412
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe stop vgk
        3⤵
        • Executes dropped EXE
        PID:1996
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe delete "HKLM\SYSTEM\CurrentControlSet\Services\xbgm" /f
        3⤵
        • Executes dropped EXE
        PID:2812
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\GameDVR" /v AllowGameDVR /t REG_DWORD /d 0 /f
        3⤵
        • Executes dropped EXE
        PID:2132
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTask" /disable
        3⤵
        • Executes dropped EXE
        PID:1572
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe /Change /TN "Microsoft\XblGameSave\XblGameSaveTaskLogon" /disableL
        3⤵
        • Executes dropped EXE
        PID:2548
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe -Command "& {Get-AppxPackage -allusers *xbox* | Remove-AppxPackage}"
        3⤵
        • Executes dropped EXE
        PID:2400
      • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe
        3⤵
        • Executes dropped EXE
        PID:2404

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\XClient.exe

          Filesize

          87KB

          MD5

          626eb43e3611e3217f8602f7b8206889

          SHA1

          358935565a0a495a62559b204b7b41cbc365d8d9

          SHA256

          3c468ad439464cebe619052e06cf797b296ab0d9bcf88d475fb5c9b42b489573

          SHA512

          f4bf30eeadb557501362de71d4b6d58ab498d98e52b453f6e20309da36fe288d098dab9bb08cfcecf12787536ff20f0e649401ab6b0ff75e6671a4f3ebc4cd29

        • C:\Users\Admin\AppData\Roaming\xSpoofer-new.exe

          Filesize

          6.8MB

          MD5

          233320478ce264f9e08d249244dc4fdb

          SHA1

          af46758a7c39b4edf4b5b0819f732abb5ad19e17

          SHA256

          edb57df920f62e6f1241695f8a46e420f104455a54fe91431db545834fd8d5ba

          SHA512

          b1c06e96cbabd58f8489a18c8c270718cea634a9bbd4fd67786cd5d31cfa475d4f97e2389f1ce2b5ddf10db9687b5cb5361e878d29427f9670f59343468d5967

        • memory/412-168-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/776-107-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1000-138-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/1000-67-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

          Filesize

          4KB

        • memory/1000-74-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1000-76-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/1452-137-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1572-223-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/1572-222-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/1960-153-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/1960-91-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/1960-84-0x000007FFFFFD8000-0x000007FFFFFD9000-memory.dmp

          Filesize

          4KB

        • memory/1996-183-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2132-209-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/2220-152-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2244-73-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

          Filesize

          9.9MB

        • memory/2244-0-0x0000000000B20000-0x000000000122E000-memory.dmp

          Filesize

          7.1MB

        • memory/2244-1-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

          Filesize

          9.9MB

        • memory/2276-123-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2276-122-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-31-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-17-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-24-0x000007FFFFFDA000-0x000007FFFFFDB000-memory.dmp

          Filesize

          4KB

        • memory/2340-23-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-26-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-19-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-29-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/2340-18-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-20-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-30-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-21-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2340-22-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2416-59-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2416-53-0x000007FFFFFD3000-0x000007FFFFFD4000-memory.dmp

          Filesize

          4KB

        • memory/2548-236-0x0000000100000000-0x0000000100048000-memory.dmp

          Filesize

          288KB

        • memory/2576-16-0x00000000778C0000-0x0000000077A69000-memory.dmp

          Filesize

          1.7MB

        • memory/2576-246-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/2576-93-0x00000000778C0000-0x0000000077A69000-memory.dmp

          Filesize

          1.7MB

        • memory/2576-245-0x00000000778C0000-0x0000000077A69000-memory.dmp

          Filesize

          1.7MB

        • memory/2576-90-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/2576-15-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/2812-196-0x0000000100000000-0x0000000100056000-memory.dmp

          Filesize

          344KB

        • memory/2844-45-0x0000000100000000-0x000000010000F000-memory.dmp

          Filesize

          60KB

        • memory/2844-108-0x000000013FAC0000-0x00000001405B0000-memory.dmp

          Filesize

          10.9MB

        • memory/2844-39-0x000007FFFFFDF000-0x000007FFFFFE0000-memory.dmp

          Filesize

          4KB

        • memory/3008-7-0x00000000003B0000-0x00000000003CC000-memory.dmp

          Filesize

          112KB

        • memory/3008-8-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

          Filesize

          9.9MB

        • memory/3008-79-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

          Filesize

          9.9MB

        • memory/3008-167-0x000000001B360000-0x000000001B3E0000-memory.dmp

          Filesize

          512KB

        • memory/3008-238-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

          Filesize

          9.9MB

        • memory/3008-106-0x000000001B360000-0x000000001B3E0000-memory.dmp

          Filesize

          512KB